The CFAA is a kind of catch-all for any kind of computer-related activity that the feds don't particularly like. It's effective, because it's vaguely worded enough to criminalize almost any activity. It's the same statute under which Aaron Swartz was controversially charged, and Chelsea Manning was convicted under the same law. Part of the reason for the vague wording is that it was originally written in 1986, before Congress or the public at large had a good understanding of networked computers. The law used to convict hackers in the US is almost 30 years old.

It's not without its detractors. In the past, there have been attempts to use the CFAA to charge people for engaging in denial of service attacks, which are admittedly annoying, but feel more like the online equivalent of a sit-in than they do hacking. It has also been used to charge people with violating terms of service. So remember that the next time you blithely agree to the latest iTunes TOS update.

In 2011, Marcia Hofmann of the Electronic Frontier Foundation appeared on On the Media to talk about the EFF's concerns about the CFAA (audio below). However, in spite of several calls for reform, including the introduction of "Aaron's Law," named for the late Aaron Swartz, the CFAA remains unchanged.

The CFAA was tailor-made to punish precisely the kind of behavior that Hunter Moore is charged with: breaking into other people's accounts and disseminating their personal information. On top of that, Moore is being charged for behavior from 2011, before California's anti-revenge porn law went into effect, (though Santa Clara law prof Eric Goldman says it's not a particularly great law anyway). But it's interesting that he wasn't charged for the act of posting the pictures itself, and if it weren't for his alleged conspiracy to hack - if he had gotten these pictures through some other means - this indictment might never have come down.

Distributed denial of service attacks have been used for criminal purposes for a long time now. Companies get DDOS'ed for an hour, and then they get an email that they will be down for days or weeks unless they pay up. The New Yorker had a fascinating article on this several years ago (2005ish?). Like viruses, DOS attacks long ago crossed over from crazy experiment to criminal enterprise.

Also, DDOS attacks are usually caused by an individual (with a botnet). One of the earliest DDOS warnings was from security researcher Steve Gibson, who tracked down his persecutor (a 14-year-old "script kiddie") and interviewed him; basically, it was done for the lulz. There might be a few attacks that have higher motives, but very few deserve being compared to a sit-in.